So Im drafting a few LOAs (letter of authorization) for employers for some Penetration Tests. I havent ever drafted one from scratch before, and with just a few minutes of digging around I find several very rough outlines, generally with information like: make sure you include parameters, systems, etc. - good so far.

I was surprised that I could not find a few samples on line. Maybe Im a poor google hacker, but I found samples for all sorts of stuff, except LOAs.

So, does anyone know of a site or reference point with some good sample letters in it - I am looking to bounce what I have against a standard of some sort, or at least take some formatting and inclusion tips.

Heres a draft of whats currently in use by my employer all specific info dropped:

Attack & Penetration Authorization Form

The "Insert authority here" has authorized "Insert Tester Here" to operate and conduct A&P testing within Company's environment. All A&P program activities must be approved in advance, in writing, by the "Insert Authority Position here" or Executive responsible for the system to be tested.

Affected Business Unit(s) or Department(s)

Testing Dates

Targeted System(s) - (insert very specific information here, detailing the specific systems that you will target, and potentially what may NOT be targeted.

Objectives (insert what you are trying to test for here. This is a reasonable general statement attached)

Authorized testing personnel will assess physical and logical network/system security and privacy controls in systems identified. The assessment will entail both passive and active means of information gathering.

Authorized personnel will attempt to gain access to sensitive private or proprietary information in an effort to evaluate the security measures currently enacted, and provide recommendations for improvement.

Do we want to have a section that states whether it is a white, gray or black box test? How about something in regards to whether those in the affected business units / departments will be aware of the test?